Working with NTFS permissions in PowerShell (Part 2)

In the first part we discussed how NTFS permissions work and we also talked about the components of the security descriptor. In this second part we will show how to apply this in some real life examples.

Adding a user to the ACL of a directory

In this first example we will add a user to the ACL of a directory. Obviously the code below could be written more compactly, but for the purpose of this tutorial it makes more sense to break it down to make it easier to understand.

First we get the current ACL of the directory. Then we define the different parts of the new ACE and store them each time in a variable. Finally we bring those variables together, feed them to the SetAccessRule method and then again set the ACL on the directory.

Removing inheritance from a directory

By default any permission that is configured on a directory will be inherited by its children. In some cases you may want to define more strict permissions. As inherited permissions cannot be removed just like that, we first need to break the inheritance.

The inheritance can be manipulated with the SetAccessRuleProtection method. You will need to specify two parameters:

  • isProtected: when set to $true the directory will be “protected” against inheriting permissions from the parent directory. In other words, it will no longer inherit the permissions. When set to $false, the inheritance will remain intact.
  • preserveInheritance: when set to $true, the currently inherited permissions will remain present, but will be converted into explicit permissions. This will make it possible to manipulate these permissions afterwards. When set to $false, all inherited permissions will be removed.

Removing permissions from a directory

In this example we will remove all permissions from a directory, except Administrators and SYSTEM. Obviously, a prerequisite is that the inheritance needs to be removed from the directory first (please review the previous example on how to do that).


Leave a Reply

Your email address will not be published. Required fields are marked *